summaryrefslogtreecommitdiff
blob: 71fed5deb0fed9b7defb37eb023c851d4a283e60 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

MODULES_OPTIONAL_IUSE=modules
inherit autotools bash-completion-r1 linux-mod-r1 systemd

DESCRIPTION="IPset tool for iptables, successor to ippool"
HOMEPAGE="https://ipset.netfilter.org/ https://git.netfilter.org/ipset/"
SRC_URI="https://ipset.netfilter.org/${P}.tar.bz2"

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 arm arm64 ~loong ppc ppc64 ~riscv x86"

RDEPEND="
	net-firewall/iptables
	net-libs/libmnl:=
"
DEPEND="${RDEPEND}"
BDEPEND="virtual/pkgconfig"

DOCS=( ChangeLog INSTALL README UPGRADE )

# configurable from outside, e.g. /etc/portage/make.conf
IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}

PATCHES=(
	"${FILESDIR}/${PN}-bash-completion.patch"
	"${FILESDIR}/${P}-asan-buffer-overflow.patch"
	"${FILESDIR}/${P}-argv-bounds.patch"
)

src_prepare() {
	default
	eautoreconf
}

pkg_setup() {
	get_version
	CONFIG_CHECK="NETFILTER"
	ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
	CONFIG_CHECK+=" NETFILTER_NETLINK"
	ERROR_NETFILTER_NETLINK="ipset requires NETFILTER_NETLINK support in your kernel."
	# It does still build without NET_NS, but it may be needed in future.
	#CONFIG_CHECK="${CONFIG_CHECK} NET_NS"
	#ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
	CONFIG_CHECK+=" !PAX_CONSTIFY_PLUGIN"
	ERROR_PAX_CONSTIFY_PLUGIN="ipset contains constified variables (#614896)"

	build_modules=0
	if use modules; then
		if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
			if linux_chkconfig_present "IP_NF_SET" || \
				linux_chkconfig_present "IP_SET"; then #274577
				eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
				eerror "Please either build ipset with modules USE flag disabled"
				eerror "or rebuild kernel without IP_SET support and make sure"
				eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
				die "USE=modules and in-kernel ipset support detected."
			else
				einfo "Modular kernel detected. Gonna build kernel modules..."
				build_modules=1
			fi
		else
			eerror "Nonmodular kernel detected, but USE=modules. Either build"
			eerror "modular kernel (without IP_SET) or disable USE=modules"
			die "Nonmodular kernel detected, will not build kernel modules"
		fi
	fi

	[[ ${build_modules} -eq 1 ]] && linux-mod-r1_pkg_setup
}

src_configure() {
	export bashcompdir="$(get_bashcompdir)"

	econf \
		--enable-bashcompl \
		$(use_with modules kmod) \
		--with-maxsets=${IP_NF_SET_MAX} \
		--with-ksource="${KV_DIR}" \
		--with-kbuild="${KV_OUT_DIR}"
}

src_compile() {
	einfo "Building userspace"

	local modlist=( xt_set=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/:
					em_ipset=kernel/net/sched:"${S}":kernel/net/sched/:modules )

	for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,mac,mark,port{,ip,net}},mac,net{,port{,net},iface,net}},_list_set}; do
		modlist+=( ${i}=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/ipset )
	done

	emake

	if [[ ${build_modules} -eq 1 ]]; then
		einfo "Building kernel modules"
		linux-mod-r1_src_compile
	fi
}

src_install() {
	einfo "Installing userspace"
	default

	find "${ED}" -name '*.la' -delete || die

	newinitd "${FILESDIR}"/ipset.initd-r7 ${PN}
	newconfd "${FILESDIR}"/ipset.confd-r1 ${PN}
	systemd_newunit "${FILESDIR}"/ipset.systemd-r1 ${PN}.service
	keepdir /var/lib/ipset

	if [[ ${build_modules} -eq 1 ]]; then
		einfo "Installing kernel modules"
		linux-mod-r1_src_install
	fi
}